When Paul X. McNeil decided to rob a cannabis dispensary owner in Trenton, New Jersey, he didn't need a database. He didn't need to file a records request or run a search engine query. He needed two things that any operator running a legitimate, licensed business provides by default. A visible business presence. And a pattern.
On August 10, 2023, McNeil followed Anthony Irizarry from his cannabis store in Trenton to his condominium on Medrey Court in Lawrence Township. He entered the residence. He held Irizarry at gunpoint and demanded the shop's cash proceeds. Irizarry's wife pleaded for her husband's life. McNeil shot him in the living room. Irizarry, 36 years old, died at the hospital hours later.
The federal indictment unsealed December 11, 2024 by the U.S. Attorney's Office for the District of New Jersey, as reported by NJ.com and NBC10 Philadelphia, charges McNeil with murder during and in relation to a crime of violence, conspiracy to commit Hobbs Act robbery, three counts of Hobbs Act robbery, and multiple weapons violations. Prosecutors stated that McNeil chose his victims specifically because they had access to business cash proceeds.
He didn't target random individuals. He targeted business owners.
Understanding why that targeting was possible requires examining the infrastructure that made it easy, not only the violence that made it visible.
New Jersey's cannabis licensing framework, administered by the Cannabis Regulatory Commission, requires that each licensed operation publish its business location, principal officers, and operational details in a publicly accessible registry. This is standard across regulated industries. Alcohol license holders, mortgage professionals, financial advisors, licensed contractors, and healthcare providers all carry corresponding public records with their business identity attached. The registry is not a security gap in isolation. The gap opens at the intersection of the registry and the operator's daily behavior.
When a business owner operates from a fixed commercial location, that location becomes the anchor for physical observation. The license confirms the operator's identity and business role. The storefront confirms their schedule and physical presence. The cash-handling nature of the business confirms the value of targeting them. All three pieces of information are accessible through standard means.
McNeil's method required no technical sophistication. He identified a business operator with confirmed cash access, observed the operational pattern at a known commercial location, and followed that operator from a location he already knew to a location he didn't. The infrastructure that certified Irizarry's legitimate operation created the conditions for that sequence. The licensing database was the first entry point. The fixed business address was the second. The observable pattern was the third.
Much of the discussion around business registration and address exposure focuses on what is written in a document. The home address on an LLC filing. The residential address used as registered agent. The personal information embedded in a state licensing database. Those are real vectors, documented in hundreds of cases and cited in the legislative records of states that have since extended address confidentiality programs specifically because of that category of harm.
But the Irizarry case surfaces a structural vulnerability that persists even when the document problem is partially solved. A business owner who operates from a fixed commercial location, whose name appears in a public licensing database, and whose movement between that location and their home is observable has not separated their business identity from their personal physical exposure. The filing may list a third-party registered agent. The physical pattern still maps the operator's home.
This is the layer most operators never audit. They manage what is written. They do not manage what is observable.
Federal prosecutors noted that McNeil selected victims based on access to cash. That selection criteria required only knowing which operators handled cash in volume. Cannabis businesses in New Jersey operate in a cash-dependent environment because federal banking restrictions prevent most cannabis operators from accessing standard financial infrastructure. This is publicly understood industry context.
The result is that a licensed cannabis business owner in New Jersey carries a public identity that combines three risk factors simultaneously. They are registered in a public database by name and business address. They operate in an industry known to carry significant undeclared cash. And they move between their business and their home on a schedule that repeats.
None of those three factors individually creates the exposure. Their combination does.
The pattern extends well beyond cannabis. Any small business owner in a cash-intensive or regulated industry, whose business location is publicly indexed and whose daily movement is observable, carries the same combined structural exposure. The specific industry changes. The underlying structure does not.
The forensic question is not why someone targeted Anthony Irizarry. The forensic question is what infrastructure would have had to be in place for the targeting to fail at the selection stage, before any harm was possible.
At the selection stage, McNeil needed a target with confirmed cash access and an observable physical pattern. The public licensing database confirmed the cash-handling business. The fixed commercial location confirmed the schedule. Neither factor required the attacker to breach any system, access any restricted record, or demonstrate any technical capability beyond observation and a working knowledge of which industries operate on cash.
The infrastructure that failed was the infrastructure that allowed a business owner's registration to function as a physical targeting document. The license confirmed the business. The business confirmed the cash. The building confirmed the schedule. The schedule confirmed the route. The route confirmed the home.
None of those steps required a court order, a data breach, or a technical exploit. They required patience and a car.
The question most business owners never ask is whether the infrastructure they assembled to legitimize their operation also built a navigational map to where they live.
Source: U.S. Attorney's Office for the District of New Jersey, federal indictment unsealed December 11, 2024. Reported by NJ.com and NBC10 Philadelphia.